Archive for the ‘Vendor Assessment’ Category

White House Releases Software Supply Chain Security Guidance

The White House published a memo requiring agencies to comply with guidance from the Office of Management and Budget (OMB) which aims to improve software supply chain integrity and security.  Signed by OMB Director Shalanda Young, the memo builds on Executive Order (EO) 14028, Improving the Nation’s Cybersecurity from May 2021, which is focused on the security and integrity […]

Leave a Comment

Vendor Security Assessment

Assessing the security of network equipment. This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice. The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the […]

Leave a Comment

Government guide for supply chain security: The good, the bad and the ugly

ust as developers and security teams were getting ready to take a breather and fire up the BBQ for the holiday weekend, the U.S.’s most prestigious security agencies (NSA, CISA, and ODNI) dropped a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers. My first reaction was that it’s great to see these […]

Leave a Comment

Why You Need a Third-Party Risk Management (TPRM) Program

What entity, or sector doesn’t engage with a third party in some way, shape or form? Not many. The reality is that outsourcing, contracting and subcontracting happen all the time and is the norm as businesses continue to embrace the core/context mindset and division of labor. The more you outsource, the more you need to […]

Leave a Comment

Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack

The “0ktapus” cyberattackers set up a well-planned spear-phishing effort that affected at least 130 orgs beyond Twilio and Cloudflare, including Digital Ocean and Mailchimp. The hackers who breached Twilio and Cloudflare earlier in August also infiltrated more than 130 other organizations in the same campaign, vacuuming up nearly 10,000 sets of Okta and two-factor authentication […]

Leave a Comment

Patch Madness: Vendor Bug Advisories Are Broken, So Broken

Dustin Childs and Brian Gorenc of ZDI take the opportunity at Black Hat USA to break down the many vulnerability disclosure issues making patch prioritization a nightmare scenario for many orgs. BLACK HAT USA – Las Vegas – Keeping up with security-vulnerability patching is challenging at best, but prioritizing which bugs to focus on has […]

Leave a Comment

Vendor Security Assessment

Assessing the security of network equipment. This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice. The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the […]

Leave a Comment

How to Identify and Reduce the Risks of 3rd Party Vendors

How to Identify and Reduce the Risks of 3rd Party Vendors In a landscape filled with new threats and regulations managing the risks of 3rd party vendors is vitally important. Most financial institutions have tens of thousands of supplier relationships, and many data breaches originate through IT Vendors within the supply chain. Compounding this dilemma, […]

Leave a Comment

How to read a SOC 2 Report

The following conversation about reviewing a SOC 2 report is one to avoid.  Potential Customer: â€śHi Vendor Co., do you have a SOC 2?” Vendor Co. Sales Rep: â€śYes!” Potential Customer: â€śGreat! We can’t wait to start using your service.”  The output of a SOC 2 audit isn’t just a stamp of approval (or disapproval). Even companies that […]

Leave a Comment

Strengthening third-party vendor programs in times of crisis and beyond

The ongoing global turmoil has tested the supply chain across industries in a myriad of ways – from strained resources and remote workflows to security concerns and more. Sustaining a resilient supply chain is one area where many organizations have seen disruptions and business risk, mostly related to managing third-party vendors. Recent reports have found that 85% of […]

Leave a Comment

Supply Chain at Risk: Brokers Sell Access to Shipping, Logistics Companies

As if disruption to the global supply chain post-pandemic isn’t bad enough, cybercriminals are selling access, sometimes in the form of credentials, to shipping and logistics companies in underground markets. That’s a worrisome, if not unexpected, development; a cybersecurity incident at a company that operates air, ground and maritime cargo transport on multiple continents and […]

Leave a Comment

4 things you can do to minimize cyberattacks on supply and value chains

The SolarWinds hack was a classic supply chain attack, compromising downstream organizations in order to traverse the victim’s extended enterprise of customers, suppliers, vendors and other third parties to gain unauthorized access to their on-premises and cloud systems. The hack was unprecedented, transforming a core security product into a malware delivery system that provided unauthorized access to […]

Leave a Comment

What is Third-Party Risk?

Leave a Comment

What businesses need to know to evaluate partner cyber resilience

Many recent high-profile breaches have underscored two important cybersecurity lessons: the need for increased scrutiny in evaluating access and controls of partners handling valuable customer data, and the imperativeness of assessing a third party’s (hopefully multi-layered) approach to cyber resilience. Given the average number of tech tools, platforms and partnerships today, having a clear and consistent […]

Leave a Comment

Accellion Supply Chain Hack

Leave a Comment

Why is financial cyber risk quantification important?

In its 10th annual Risk Barometer, Allianz found that cyber incidents ranked third in a list of the most important global business risks for the upcoming year, coming in second behind risks stemming from the pandemic itself. We can expect cyber incidents to increase in frequency and sophistication as cyber criminals continue to leverage the […]

Leave a Comment

Third-party risk management programs still largely a checkbox exercise

Recent data indicates that they are inconsistent (at best) when it comes to digging deep enough for clues of security issues lurking in the enterprise’s vendor and partner ecosystem. Even more troubling? Very few TPRM security assessments result in remediation action. So TPRM programs are nominally jumping through hoops to ask vendors about or observe […]

Leave a Comment

Monitoring and reviewing third party InfoSec services

Control A10 of ISO 27001 mandates for outsourcing organization to monitor and review the performance of third party service provider on regular basis which includes the contractor working on critical assets within the scope. Service level Agreement (SLA) or Operation level Agreement (OLA) are the binding legal agreement which includes all the important services to […]

Comments (1)

A guide to contract and commercial management for professionals

Contract and Commercial Management “Almost 80% of CEOs say that their organization must get better at managing external relationships. According to The Economist, one of the major reasons why so many relationships end in disappointment is that most organizations ‘are not very good at contracting’. This ground-breaking title from leading authority IACCM (International Association for […]

Comments (1)

Laptop security and vendor assessment

Another report of a laptop stolen, this one containing reams of sensitive customer information. The laptop was later returned in the same office complex, to a room which was reportedly locked; however, the sensitive data on the laptop was not encrypted. According to a San Francisco Chronicle article by Deborah Gage (Aug 6, 2008, pg. […]

Comments (4)